Recently in Security Category

I recently encountered a bug in Movable Type where uploading a certain image failed with the message "Saving (filename) failed: Invalid image file format". Some digging led me to the file lib/MT/Image.pm where the uploaded image was failing a check. This was in MT4, but some older versions of MT5 can also have this happening. So, what is going on?

The official announcement is here. The upgrade is mandatory if you want to keep up with security fixes. Note: it looks like this update is not just a simple drop-in-and-run-the-upgrader affair, but there are changes to several javascript and other templates as well. If you are (mostly) using the default templates this should be quite easy to deal with by refreshing the templates in question. If you are using customized versions of these templates it looks like you need to do some manual editing to avoid comments etc. breaking on the new version.

It is not announced on the Open Melody blog yet, but Open Melody 1.0.2 is out. This is a critical maintenance update containing the security fixes recently applied to Movable Type. Release notes are here, download is here.

If you are running Movable Type and you have users on your system you can't completely trust, you urgently need to update to the latest version, says Six Apart in an announcement this morning. They specifically mention that this release fixes an issue where:

Under certain circumstances, a user who has "Create Entries" or "Manage Blog" pemissions may be able to read known files on the local file system.

That is bad, as it would allow a potential attacker to read things like configuration files etc. which may contain passwords or other sensitive information.

Anyone using the MT Cumulus plugin to generate a flash-based tag cloud, take heed: there is a security vulnerability in the flash part of this plugin that allows script injection attacks. If you are using this plugin, it is probably better to remove it for now until an update becomes available, and to rely on Movable Type's built-in HTML-based tag cloud widget.

After the recent hacking of PBS.org (most likely caused by a 0day exploit in an older version of Movable Type 4), it is probably a good idea to review the security of your Movable Type installation. To help you, we compiled this list of ten security tips, with help from the engineers at Six Apart Japan.